> That's actually great that industry standards are being codified with actual deterrents for failing to strongly store secure passwords.
What would be better is for us folks to do this to ourselves first. If self regulation works well, the government will never need to step in. The GDPR seems to be pretty good, but it's not unimaginable that some assholes in office who are looking to get reelected respond to a high-profile data breach by making a shitty set of regulations to govern all software developers in the country for all time.
W.R.T. enforcing compliance, having a licensing board that oversees this would provide incentive to developers to not cut corners, and would also provide a way to resist management that is intent on releasing a shitty product quickly in the hope of making a quick buck before it all crashes down / padding their resume.
So, in terms of self-enforcement, I have pretty much every poorly built PHP webapp from 1996-2014 as evidence that this won't happen. People are bad at security, including big people with lots to lose (see... I don't know, any high profile breech ever) so regulating this is quite necessary. Sometimes it'll even empower developers to push back on deadlines with the comment that cutting security corners will violate laws.
I don't think this is a practical solution at all. What would a licensing board certification entail? Thousands of certifications already exist, and we don't take any of them seriously. Why would the licensing board have any power? We'd need software engineers to form a union or have government regulate that companies hire certified engineers. Either way, there needs to be some enforcement mechanism.
Shifting the onus on security away from the companies and onto the developers also seems like a bad idea. With GDPR, there is a financial incentive for companies to use good practices. With a licensing board, companies will care far less if Joe Q Developer might lose his license. Why would they care unless there is financial or legal incentive? I just don't see how this would work without getting back to government regulation. I'll definitely reconsider my view point if you have a solution to this hurdle.
Yeah, I disagree. Most companies would just not sign up to the licensing board. Also, from a practical standpoint, imagine trying to license every site on the internet!
I've never built a website that doesn't securely store passwords. I've definitely _used_ websites that do though [0]. Up until now my only choice is to stop using any of these sites and just hope they magically fix their crap.
It's obvious which would be a better motivator for any of these sites, either receiving an email stating "what you're doing is wrong, and unsecure" or one stating "what you're doing is wrong and unsecure and, by the way, you could be fined €50,000" [1]
What would be better is for us folks to do this to ourselves first. If self regulation works well, the government will never need to step in. The GDPR seems to be pretty good, but it's not unimaginable that some assholes in office who are looking to get reelected respond to a high-profile data breach by making a shitty set of regulations to govern all software developers in the country for all time.
W.R.T. enforcing compliance, having a licensing board that oversees this would provide incentive to developers to not cut corners, and would also provide a way to resist management that is intent on releasing a shitty product quickly in the hope of making a quick buck before it all crashes down / padding their resume.